思路路由器与ASA防火墙第一阶段: aggressive-mode建立VPN测试
一.概述:
L2L VPN第一阶段可以配置成aggressive-mode,因为aggressive-mode没有Main-mode安全,所以一般用在客户端拨号中。
参考链接:
http://networkology.net/2013/06/24/ios-site-to-site-vpn-aggressive-mode-ccie-notes/
http://wenku.baidu.com/view/2bc4751f59eef8c75fbfb3ae.html
http://bbs.51cto.com/thread-918833-1.html
二.基本思路:
A.测试路由器与防火墙以第一阶段aggressive-mode建立 L2L VPN
B.通过抓包确认协商过程中是否带有主机名
三.测试拓扑:
四.基本配置:
- A.R1:
- interface Ethernet0/0
- ip address 192.168.1.1 255.255.255.0
- no shut
- ip route 0.0.0.0 0.0.0.0 192.168.1.2
- B.R2:
- interface Ethernet0/0
- ip address 192.168.1.2 255.255.255.0
- ip nat inside
- no shut
- interface Ethernet0/1
- ip address 202.100.1.2 255.255.255.0
- ip nat outside
- no shut
- ip route 0.0.0.0 0.0.0.0 202.100.1.3
- ip access-list extended PAT
- deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
- permit ip 192.168.1.0 0.0.0.255 any
- ip nat inside source list PAT interface Ethernet0/1 overload
- C.R3:
- interface Ethernet0/0
- ip address 202.100.1.3 255.255.255.0
- no shut
- interface Ethernet0/1
- ip address 202.100.2.3 255.255.255.0
- no shut
- D.ASA842:
- interface GigabitEthernet0
- nameif Inside
- security-level 100
- ip address 172.16.1.10 255.255.255.0
- no shut
- interface GigabitEthernet1
- nameif Outside
- security-level 0
- ip address 202.100.2.10 255.255.255.0
- no shut
- route Outside 0.0.0.0 0.0.0.0 202.100.2.3
- object network Inside_net
- subnet 172.16.1.0 255.255.255.0
- nat (Inside,Outside) dynamic interface
- policy-map global_policy
- class inspection_default
- inspect icmp
- E.R4:
- interface Ethernet0/0
- ip address 172.16.1.4 255.255.255.0
- no shut
- ip route 0.0.0.0 0.0.0.0 172.16.1.10
五.VPN配置:
A.R2:
①第一阶段策略:
- crypto isakmp policy 10
- encr 3des
- hash md5
- authentication pre-share
- group 2
- crypto isakmp key cisco123 hostname ASA842 (这个是多余的,不需要配置)
- crypto isakmp identity hostname
- crypto isakmp keepalive 10 periodic
- crypto isakmp peer address 202.100.2.10
- set aggressive-mode password cisco123
- set aggressive-mode client-endpoint ipv4-address 202.100.1.2 (这个必须有,否则无法从路由器这侧主动发起VPN)
②第二阶段策略:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
ip access-list extended VPN
permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
④配置crypto map并在接口应用:
- crypto map crymap 10 ipsec-isakmp
- set peer 202.100.2.3
- set transform-set transet
- set pfs group2
- match address VPN
- reverse-route
B.ASA842:
①第一阶段策略:
- crypto ikev1 policy 10
- authentication pre-share
- encryption 3des
- hash md5
- group 2
- crypto isakmp identity hostname
- tunnel-group 202.100.1.2 type ipsec-l2l
- tunnel-group 202.100.1.2 ipsec-attributes
- ikev1 pre-shared-key cisco123
②第二阶段策略:
crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流并做NAT免除:
- access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
- object network Inside_net
- subnet 172.16.1.0 255.255.255.0
- object network Remote_net
- subnet 192.168.1.0 255.255.255.0
- nat (Inside,Outside) source static Inside_net Inside_net destination static Remote_net Remote_net
③配置crypto map 并在接口调用:
- crypto map crymap 10 match address VPN
- crypto map crymap 10 set pfs
- crypto map crymap 10 set peer 202.100.1.2
- crypto map crymap 10 set ikev1 phase1-mode aggressive
- crypto map crymap 10 set ikev1 transform-set transet
- crypto map crymap 10 set reverse-route
- crypto map crymap interface Outside
④在接口启用IKEV1:
crypto ikev1 enable Outside
六.抓包测试:
A.第一阶段,aggressive mode一共三个包,第三个包才是加密的
B.路由器 set aggressive-mode client-endpoint设置的是fqdn还是IP地址,只能决定路由器主动发起连接时使用的是什么
-----如果防火墙侧主动发起,路由器都是以自己的主机名作为回复,而部署配置中的FQDN或IP
C.路由器如果client-endpoint用的是IP,则路由器主动发起aggressive mode时用的是IP地址
D.路由器如果client-endpoint用的是fqdn,则路由器主动发起aggressive mode时用的是设置的FQDN地址
E.不管client-endpoint用的是fqdn,还是IP,如果由防火墙侧主动发起,路由器回复的identity都是自己的主机名
七.PIX8.0的配置:
---如果将ASA842改为PIX8.0,PIX的配置如下:
A.基本配置:
- interface Ethernet0
- nameif Inside
- security-level 100
- ip address 172.16.1.10 255.255.255.0
- no shut
- interface Ethernet1
- nameif Outside
- security-level 0
- ip address 202.100.2.10 255.255.255.0
- no shut
- route Outside 0.0.0.0 0.0.0.0 202.100.2.3
- access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
- nat (Inside) 1 access-list PAT
- global (Outside) 1 interface
- access-list OUTSIDE extended permit icmp any any
- access-group OUTSIDE in interface Outside
B.VPN配置:
①第一阶段策略:
- crypto isakmp policy 10
- authentication pre-share
- encryption 3des
- hash md5
- group 2
- crypto isakmp identity hostname
- tunnel-group 202.100.1.2 type ipsec-l2l
- tunnel-group 202.100.1.2 ipsec-attributes
- pre-shared-key cisco
---备注:tunnel-group也可以用对方的FQDN,
②第二阶段策略:
crypto map crymap 10 set transform-set transet
③配置感兴趣流并做NAT免除:
access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT
④配置crypto map 并在接口调用:
- crypto map crymap 10 match address VPN
- crypto map crymap 10 set pfs
- crypto map crymap 10 set peer 202.100.1.2
- crypto map crymap 10 set transform-set transet
- crypto map crymap 10 set phase1-mode aggressive group2(group2为默认值,show不会出现)
- crypto map crymap 10 set reverse-route
- crypto map crymap interface Outside
⑤在接口启用isakmp:
crypto isakmp enable Outside